php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #666 Possibly denial of service attack using file upload facility
Submitted: 1998-08-19 06:10 UTC Modified: 1998-08-25 16:08 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: zavadsky at im dot bas-net dot by Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 3.0.2a OS: ALL
Private report: No CVE-ID: None
 [1998-08-19 06:10 UTC] zavadsky at im dot bas-net dot by
Using file upload facility, it is very easy to perform denial of service attack on any php script.

1. One should create an html form and set action to attacked php script.
2. In this form, indicate enctype="multipart/form-data" and set MAX_FILE_SIZE to a large enough value.
3. Select a large enough file and submit the form.
4. Repeat several times.

All files still resides at /tmp directory because the knows nothing about them.
Possible solution:
1. Deletion of the file by php engine at the end of script.
2. Explicit activation of upload processing of a file by a new function.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-08-25 16:08 UTC] rasmus
Ok, this was a good one.  Very obvious too, but for some reason I hadn't thought of it before.  Thanks for bringing it up.  I have added two things to 3.0.4.  First, the uploaded temporary file now gets deleted at the end of a request, and second, I added an upload_max_filesize directive along with the corresponding php3_upload_max_filesize Apache directive.  This could be set to 0 to completely disallow file uploads and then specifically set higher on a per-server, per-dir or even per-file basis in the Apache .conf file.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC